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carrier signal by performing 
an exclusive-OR of the 
encrypted message with a 
first portion of the carrier 
signal. 



A . 




1 


-80 . 





.74 



U0 



f 

FOR THE PURPOSES OF INFORMATION ONLY 
Codes used to identify States party to the PCT on the front 



AL 

AM 

AT 

AU 

AZ 

BA 

BB 

BE 

BF 

BG 

BJ 

BR 

BY 

CA 

CF 

CC 

CH 

CI 

CM 

CN 

CU 

CZ 

DC 

DK 

EE 



Albania 

Armenia 

Austria 

Australia 

Azerbaijan 

Bosnia and Herzegovina 

Barbados 

Belgium 

Burkina Faso 

Bulgaria 

Benin 

Brazil 

Belarus 

Canada 

Central African Republic 

Congo 

Switzerland 

Cdte d'lvoire 

Cameroon 

China 

Cuba 

Czech Republic 
Germany 
Denmark 
Estonia 



pages of pamphlets publishing international applications under the PCT. 



ES 

FI 

FR 

GA 

GB 

GE 

GH 

GN 

GR 

HU 

IE 

IL 

IS 

IT 

JP 

KE 

KG 

KP 

KR 

KZ 

LC 

LI 

LK 

LR 



Spain 
Finland 
France 
Gabon 

United Kingdom 

Georgia 

Ghana 

Guinea 

Greece 

Hungary 

Ireland 

Israel 

Iceland 

Italy 

Japan 

Kenya 

Kyrgyzstan 

Democratic People's 

Republic of Korea 

Republic of Korea 

Kazakstan 

Saint Lucia 

Liechtenstein 

Sri Lanka 

Liberia 



IS 
LT 
LU 
LV 
MC 
MD 
MG 
MK 

ML 

MN 

MR 

MW 

MX 

NE 

ML 

NO 

NZ 

PL 

PT 

RO 

RU 

SD 

SE 

SG 



Lesotho 

Lithuania 

Luxembourg 

Latvia 

Monaco 

Republic of Moldova 

Madagascar 

The former Yugoslav 

Republic of Macedonia 

Mali 

Mongolia 

Mauritania 

Malawi 

Mexico 

Niger 

Netherlands 

Norway 

New Zealand 

Poland 

Portugal 

Romania 

Russian Federation 

Sudan 

Sweden 



SI 


Slovenia 


SK 


Slovakia 


SN 


Senegal 


SZ 


Swaziland 


TD 


Chad 


TG 


Togo 


TJ 


Tajikistan 


TM 


Turkmenistan 


TR 


Turkey 


TT 


Trinidad and Tobago 


UA 


Ukraine 


UG 


Uganda 


US 


United States of America 


uz 


Uzbekistan 


VN 


Viet Nam 


YU 


Yugoslavia 


zw 


Zimbabwe 



BNSDOCID:<WO 9911020A1J_> 



WO 99/11020 



PCT/US98/17321 



-1- 

HIDING OF ENCRYPTED DATA 

Field of the Tnvention 

The present invention relates to methods and apparatus for hiding data 
5 within a digital signal, and particularly for concealing information within multimedia 
signals such as digital image, audio, or video signals. More particularly, the present 
invention relates to methods and apparatus for embedding and retrieving information into 
and out of a digital signal used in multimedia applications while minimizing the effect on 
the multimedia application of the digital signal. 

10 

Background and Summary of the Invention 

The art of concealing information has existed for millennia and is one to 
which computers have been readily adapted. It is known, for example, to use computers 
for encrypting data using various symmetric and asymmetric cryptographic schemes such 
1 5 as the Data Encryption Standard (DES) and RSA encryption, and cryptographic software 
packages such as PGP (Pretty Good Privacy). Another technique for concealing 
information for which computers are used is data hiding or steganography, in which the 
existence of certain information is concealed within a carrier communication. In contrast 
to cryptography, where it is a goal to make a message undecipherable regardless of its 
20 detection, with steganography it is a goal to hide the very existence of the hidden 

message. An example of a known steganography technique using computers is to embed 
a digital watermark into a digital image. 

According to the present invention, a method of hiding data is provided. 
A message to be hidden and an encrypting sequence are provided along with a carrier 
25 signal that conveys information (unrelated to the message). An encrypted message is 
generated based on the message and the encrypting sequence. The encrypted message is 
embedded into the carrier signal by performing an exclusive-OR of the encrypted message 
with a first portion of the carrier signal. 

In preferred embodiments, the carrier signal is a digital image, and the first 
30 portion of the carrier signal is an LSB plane of the digital image. The digital image has a 
plurality of color planes, the first portion of the carrier signal is an LSB plane of a first 
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color plane, and the second portion of the carrier signal is an LSB plane of a second color 
plane. 

According to another aspect of the invention, the carrier signal is 
transmitted to a receiving location. The encrypted message is extracted and from the 
carrier signal and deciphered at the receiving location. In preferred embodiments, the 
encrypted sequence is generated based on an encrypting key. The encrypted message is 
generated by performing an exclusive-OR of the message with the encrypting sequence. 

Accordin S 10 yet another aspect of the inferitiohTa method of data hiding " 
is provided in which an encryption key and a carrier signal that conveys information 
unrelated to the encryption key are supplied. An encryption sequence based on the 
encryption key is generated. The encryption sequence is embedded into the carrier signal. 

In preferred embodiments, the encryption key is a public key for an 
asymmetric encryption algorithm. The carrier signal can be a signal such as a digital 
image, digital audio, or digital video. The encryption sequence is substantially random, 
and can be generated based on a linear feedback shift register. The encryption sequence is 
embedded into the carrier signal by performing an exclusive-OR of the encryption 
sequence with a portion of the carrier signal. 

According to other aspects of the invention, the carrier signal including the 
embedded encryption sequence is transmitted to a receiving location. The encryption 
sequence is extracted from the composite signal at the receiving location. The encryption 
sequence is decrypted to obtain the encryption key. The encryption key is used to 
generate an encrypted message at the receiving location, and the encrypted message is 
transmitted from the receiving location. 

According to yet another aspect of the invention, a method of data hiding 
is provided. An encrypted message is embedded into a first portion of a carrier signal and 
message extraction information is embedded into a second portion of the carrier signal for 
extracting the encrypted message from the first portion of the carrier signal. 

In preferred embodiments, the encrypted message is embedded by 
performing an exclusive-OR of the encrypted message with the first portion of the carrier 
signal. The message extraction information is embedded by performing an exclusive-OR 
of the first portion of the carrier signal with the second portion of the carrier signal. The 
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first and second portions of the carrier signal can be first and second bit-planes of a digital 
image. 

According to still another aspect of the invention, a method of exchanging 
data hidden in a carrier signal is provided. A signal including hidden data is generated by 
5 transforming a carrier signal from a first domain into a second domain. A message is 
embedded into the carrier signal in the second domain. The carrier signal is transformed 
back from the second domain to the first domain. The signal including hidden data is sent 
to a receiving location. The message is obtained from the signal including hidden data at 
the receiving location by transforming the signal including hidden data into the second 
10 domain and extracting the message. 

In preferred embodiments, the message is encrypted prior to generating the 
signal including hidden data. The message is decrypted after obtaining the message from 
the signal including hidden data. 

According to still yet another aspect of the invention, a data hiding 
15 apparatus is provided. An encryption sequence generator generates an encryption 
sequence based on an encrypting key. An encrypted message generator generates an 
encrypted message based on the encryption sequence and an input message. An 
encrypted message embedder embeds the encrypted message into a carrier signal. 

In preferred embodiments, the encryption sequence generator generates a 
20 substantially random encryption sequence. The encrypted message embedder performs an 
exclusive-OR of the encrypted message with a portion of the carrier signal. The 
encrypted message embedder replaces a first LSB plane of a digital image with 
information based on a second LSB plane of the digital image and performs an exclusive- 
OR of the encrypted message with the second LSB plane of the digital image. The 
25 encrypted message generator performs an exclusive-OR of the input message with ihe 
encrypting sequence to generate the encrypted message. 

Additional features of the invention will become apparent to those skilled 
in the art upon consideration of the following detailed description of the preferred 
embodiments exemplifying the best mode of carrying out the invention as presently 
30 perceived. 
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Brief Description of tte Diamnsa 

Fig. 1 is a block diagram of two computer systems connected over a 
network, each computer system configured with a processor and memory for 
implementing embodiments of the present invention; 

Fig. 2 is a flow chart showing a method according to the present invention 
for hiding data within an image for transmission over a network; 

Fig. 3 is a high level block diagram showing a technique for embedding 
encrypted -information-into a carrier signal; - ._ - _. 

Fig. 4 is a more detailed block diagram similar to Fig. 3 showing a similar, 
more specific technique for embedding encrypted information into a carrier signal; 

Fig. 5 is a stylized representation of a message format containing 
embedded, hidden information; 

Fig. 6 is a stylized representation similar to Fig. 5 of an alternative message 

format; and 

Fig. 7 is a flow chart showing an alternative method according to the 
present invention for hiding data within an image for transmission over a network. 



Petailed Description of the. Illusiraiiye Embodimsnts 

The present invention lends itself to implementation in a conventional 
computer network 10 as shown in Fig. I. Computer network 10 illustratively includes 
computer systems 12, 18 connected through a series of network communication devices 
14, 16, 20 (e.g., modems, transceivers, etc.) for communication over a network 22 such 
as the standard telephone lines, or the Internet or World Wide Web. Computer systems 
12, 18 are illustratively personal computers and each includes basic elements such as a 
processor 26, 32, memory 28, 34, storage device 30, 36, and display 3 1, 38. Computer 
systems 12, 18 can also include optional peripheral devices such as removable storage 
device 40 (e.g., a CD-ROM or 3 '/* inch disk drive). 

An exemplary method of data hiding according to the present invention 
that is suitable for carrying out on computer network 10 is shown in Fig. 2. Although the 
30 present invention is disclosed in the context of certain embodiments discussing digital 
images, other digital signals, such as digital audio or video signals, are also within the 
scope of the invention. 
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According to the method of Fig. 2, an image is used to transport and 
exchange data that is embedded in the image itself and that cannot be perceived by the 
human eye. An appropriate analogy is that the image acts as an envelope, with the 
embedded data transmitted with the image being equivalent to a letter contained within 

5 the envelope. Conventional encryption such as PGP or RSA is used to enhance security 
of the embedded data. The security is improved because the encrypted data is hidden 
within the image and therefore cannot be recognized as such. This allows for secure data 
communication and exchange over an insecure transmission channel 

In step 50 an original digital image is obtained. A secret message that is 

10 desired to be embedded into the image is generated in step 52. A message encrypting key 
is used in step 54 to generate an encryption sequence. The message encrypting key can 
be a seed value for use in generating an m-sequence from a linear feedback shift register 
as discussed in more detail below, although it is understood that any suitable message 
encrypting algorithm can be used. As also discussed below, the message encrypting key 

15 will ultimately be used by the recipient of the image embedded with the secret message. 

In step 56 the secret message from step 52 is encrypted with the 

encryption sequence from step 54 to create an encrypted message. The encrypted 
message is then embedded into the image in step 58. There are many methods to embed 
the encrypted message into the image such as the method discussed below, but, again, it is 

20 understood that other suitable methods can be used. 

The image with the embedded message is then made available such as on a 
public network as shown in step 60. Finally, if the secret message from step 52 is actually 
information that is not desired to be kept secret, such as a public key for an asymmetric 
encryption algorithm, then the encryption key from step 54 is also made available on the 

25 public network as shown in steps 62, 64. This allows for third parties to extract the 

message from the image. Thus, for example, the message can be a public encryption key 
that is hidden within the image but that is readily available to a party that has knowledge 
of the fact that the hidden message exists. This provides a convenient way of exchanging 
information, such as allowing an individual to make a public encryption key available over 

30 the World Wide Web by posting it within an image on a Web site, while still concealing 
the information from the casual observer. 
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ll is useful at this point to provide some preliminary definitions before 
d.scussing a specific implementation of the method of Fig. 2. The symbol e denotes a bit 
exdusive-OR function (equivalent^, modulo-2 addition). Table 1 illustrates the 
exclusive-OR function: 

5 Table! 

■A. JL A ® B 

*• 0 0 0 

0 1 I 

io ! f ' — - - -- 

1 I 0 

A digital image is typically represented with a two dimensional array of 
p.xel values. If A is the array of pixel values, then A(x,y) denotes the oixel value in the 
x-th column of the y-th row of the array. Each index x,y begins at zero, and by 
convention the origin is at the upper-left comer with positive coordinates going 
rightwards and downwards, although this convention is somewhat arbitrary. 

For labeling purposes, it will be assumed that the digital image is a 24-bit 
RGB image with pixel values ordered as shown in Table 2: « 

Table 2 



15 



20 



25 



30 



35 



MSB 



Red rr»»r, LSB 

aaan B i ue _ 



23 22 21 20 19 18 17 16 lb 14 13 12 11 10 9 a ~l - <= — 

*7 *6 RS M R3 R2 R1 R0 G7 G6 G5 » « g ^ J b 7 J b 5 j b 3 , b} b 0 

Thus, bits 16-23 refer to the red component, bits 8-15 refer to the green 
component, and bits 0-7 refer to the blue component for any given pixel value. For 
example, Wx,y) refers to the least-significant bit of the green component of the (x y> 
pixel in the image I. Since bit GO is equivalent to bit 8, W x,y) is equivalent to I,(x,y). 
As .with- the array convention, this labeling convention is somewhat arbitrary. 

An m-sequence is a pseudo-random sequence of binary digits (bits) 
m-sequences have good statistical properties and can be generated by linear feedback shift 
reg,sters (configured appropriately as is known in the art). Knowing the size (number of 
b»ts), structure (the feedback configuration), and initial fill (the initial contents of each bit) 
of the shift register allows the reconstruction of the entire m-sequence. The m-sequences 
here .llustratively are generated by a 96-bit m-sequence generator. If the structure and 
s.ze of the shift register are known (as would be the case with this embodiment) and if a 
consecutive portion of the m-sequence equal to twice the shift register size is also known 
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the initial fill used to generate the sequence can be determined. In this embodiment the 
initial fill is used as the key that generates the m-sequence. In this way, the key can be 
determined from the sequence itself by techniques known to those skilled in cryptography. 

When embedding a message into a carrier signal, the order in which pixel 
5 operations are performed may be an important consideration. A sequence function z(i) is 
defined to provide a one-to-one mapping from i->(x,y), where i is an ordinal number and 
(x,y) refers to coordinate values in an image. The ordinal i ranges from zero to N-l, 
where N is the total number of pixels in the image. Given a sequence function z(i), one 
can compute z(0), z(l), z(2), etc., to obtain a sequence of pixel coordinates (x^y,), 
10 (x 2 ,y 2 ), etc. As an example, z(i) = (i mod ImageWidth, \j / ImageWidthJ) denotes a 
sequence beginning at the origin and proceeding in a row-by-row fashion. 

Given these preliminary definitions, an implementation corresponding to 
the illustrative method of Fig. 2 of embedding a message into an image is shown by the 
block diagram in Fig. 3. Input signals are a source image 66 (obtained in step 50), an 
15 unencrypted message 68 (generated in step 52), and an encrypting key 70 (used in step 
54). Message 68 and encrypting key 70 are processed by an encrypted message generator 
76 to create an encrypted message signal 72. Encrypted message 72 is an input along 
with source image 66 into composite signal generator 78, which creates a composite 
signal 74 containing source image signal 66 embedded with encrypted message 72. 
20 Composite signal generator 78 illustratively embeds encrypted message 72 

into the least-significant bit in the green plane Icjo(x,y) of source image 66 to create a new 
least-significant green bit-plane I'oo(x,y) of composite signal 74. In order subsequently to 
extract encrypted message 72 from composite signal 74 (F) it will be necessary to know 
the original values of I 00 (x,y) from source image 66. This can of course easily be 
25 accomplished by making the original, unmodified image signal 66 available. Composite 
signal generator 78, however, eliminates the requirement of using original image signal 66 
by encoding the original W^y) into the least-significant red bit-plane I' R0 (x,y) of 
composite signal 74 as discussed below. Thus, in order to extract the embedded 
encrypted message 72, only composite signal 74 and the encrypting key 70 are needed. 
30 In order to use the method of Figs. 2 and 3 both a sender and receiver of 

composite signal 74 will need an m-bit shift register with identical feedback configurations 
and a well-defined ordering function z(i) for any arbitrary image. The following steps 
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describe the generation of the composite signal 74 (also referred to as public image I') 
from original signal 66 (also referred to as original image I), unencrypted message 68 
(illustratively a public encryption key, also referred to as K PUB ), and encrypting key 70 
(also referred to as As intimated above, encrypting key 70 (KJ is the initial fill of the 
m-sequence generator. 

In order to generate V, V is initially set to be an exact copy of I. V is then 
traversed in order 2 (i) and the red and green least-significant bit planes are set to: 



I'ro(zO)) = I'co(z(i)) © m-seq(2i) 

1'aotoi)) = k pub(') © I'oo(z(i)) « m-seq(2i+l) 

where KpUB (i) refers to the I-th bit of K PUB> and m-seq(j) refers to the j-th bit in the m- 
sequence using K, as the initial fill. With these two equations, information on portion 2 of 
the image (the green LSB plane) is first placed in portion 1 of the image (the red LSB 
plane). Then, the message is embedded in portion 2. 

To recover K PUB it is only necessary to have the composite signal or public 
image I' and the encrypting key K,. For each pixel in I' and in the order z(i), the first step 
is to extract ^(zQ)) by using the least-significant red bit plane and the m-sequence: 

l co*W)) = I' R o(z(i)) © m-seq(2i) 

Igo*(z(0) is identical to Wztf)) if there are no errors in I'. Then the i-th bit of K PUB (i) is 
computed by using ^(zO)): 

K PUB *(i) - I'goWO) © Ioo*(z(i)) © m-seq(2i+l) 

Thus, given K„ it is possible to reconstruct the same m-sequence used to generate I'. 
Thus, if no errors occur K PUB * should be identical to K PUB . Thus, the method of the 
invention provides for including within the image both the message that is embedded or 
encrypted in the image as well as the information needed to extract or decrypt the 
message from the image. 
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A more specific method corresponding to an implementation of the 
method of Figs. 2 and 3 is shown Fig. 4. The same input signals are used, that is, source 
image 66 (I), message 68 (here, Q instead of K PUB ), and encrypting key 70 (KJ are used. 
The primary refinement in the method of Fig. 4 as compared with Fig. 3 is an encoding 
5 process to handle varying length messages 68. 

Message 68, which in the example of Fig. 3 was a public encryption key 
for use in an asymmetric cryptography system, can more generally simply be a collection 
of bits intended to be encrypted and is referred to here as Q. The length (i.e., the total 
number of bits) of Q is denoted |Q|. The i-th bit of the message Q is denoted Q(i), where 
10 the bits are numbered from 0 to | Q | - 1 . 

Message 68 (Q) is an input signal to message generator 82 which has as a 
second input the output from a random noise generator 84. Random noise generator 84 
illustratively is also a 96-bit m-sequence generator using an initial fill of a computer 
system time value, although other suitable random signal generators can be used. 
15 Encrypting key 70 (K,) is an input signal (initial fill) to an m-sequence generator 80 that 
illustratively is the same as random noise generator 84, which then generates as an output 

an encrypting sequence 86. 

Unless the message 68 (Q) will always be the same length (in bits) and that 
length is the number of pixels in the source image, it will not be possible to embed Q 
20 directly onto source image 66 (I). It is therefore necessary to encode additional 

information that will enable subsequent extraction of messages Q of varying sizes from 
composite signal 74 (T). Thus, the message 88 to be encoded onto image 66 (I) is 
generated by message generator 82 with special properties and is denoted Q' to show that 
it is derived from Q. 

25 Q" has the following properties. For any given source image I, regardless 

of what message Q is being encoded, the size of a message Q* is the same as the total 
number of pixels in image I (that is, |Q' | - # pixels in I). The bits of message Q' are 
labeled according to standard convention, that is, the first bit (or the left-most bit if Q' is 
viewed as an ordered bit stream from left to right as shown in Fig. 5) is numbered zero. 

30 Thus the bits of Q' are numbered from zero to | Q' | - 1 . 

The structure of Q' is shown in Fig. 5. All bits except the last sixty-four 
form a data area 92. The last sixty-four bits consist of two thirty-two bit words (StartPos 



/ 
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and Length, in that order), which form a Trailer. Data area 92 includes data bits 98 that 
correspond to the message Q itself, and random bits 97, 99 that help hide the location of 
Q (bits 98) within Q\ As part of the encoding process, message generator 82 computes 
the length of message Q and stores its value in the final 32 bits 94 of the Trailer. The 
5 value of the length is not directly encoded and instead a value congruent (actual length 

« modulo Data Area size) is placed in the 32-bit word. It is trivial to recover the length 

* from this encoded value. 

Starti "8 Position 94 describesthe location" within data area 92 where the ~ 
bits of the message Q reside. Message generator 82 randomly chooses a place 98 to store 
10 Q and populates all other bits of unused portions 97, 99 in data area 92 with random 
noise generated by random noise generator 84. Thus, Q can be anywhere in data area 92 
Including noise for portions 97, 99 of data area 92 unused by message Q improves " 
security of data embedded within I because the noise increases the difficulty of 
recognizing the existence or location of Q within the data area. 

15 71,6 encodin S of «* bit of message Q' is encoded onto image I on a one- 

bit per one-pixel basis using an exdusive-OR as discussed above for the method of Fig. 3 . 
First, the output of m-sequence generator 80 (with K, as a seed value) is used to encrypt 
Q* in encrypter 90. Next, the encrypted Q' is embedded onto the LSB green plane 1^, 
Encrypted message Q is subsequently extracted from Q< by locating its starting position 
20 and length from the trailer. The extracted Q is then decoded as discussed above. 

Further implementation steps can be taken to increase security for message 
Q\ Random number generator 84 and m-sequence generator 80 can be different. Even if 
both use 96-bit m-sequence generators, this can be achieved simply by changing the 
feedback coefficients. Moreover, the message length 94 in the trailer can be relocated to 
25 data area 92 as shown in Fig. 6. This relocation will limit the ability of an attacker to take 
advantage of a known size of message Q. 

Another way to provide for security of data hidden within a carrier image 
is shown by the method of Fig. 7. In step 102 the carrier image is transformed from a first 
domain to a second domain. For example, a typical RGB image that is considered to be 
30 represented in a spatial domain can be transformed using a discrete cosine transform. A 
message is then embedded into the transformed carrier image in step 104, using any 
appropriate technique for embedding a message onto a carrier signal. An example of a 
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transformed image into which a message can be embedded would be a JPEG image, If 
desired, the message can also be pre-encrypted before being embedded into the 
transformed image to further improve security. The image is then transformed back into 
the first domain in step 106 and made available for access by third parties in step 108. 
5 For a third party to extract the message the steps are essentially reversed. 

First the image is copied by the third party in step 1 10, and it is then transformed into the 
second domain in step 1 12 using the same transform performed in step 106. Finally, the 
message is extracted in step 1 14, again, using any appropriate technique that corresponds 
to the technique used in step 104 for originally embedding the message. If the message 
1 0 was pre-encrypted then another decryption step (not shown) will be necessary. 

Encrypted messages relying on the use of encryption keys are used in the 
methods discussed above. For example, if a pre-encrypted message is embedded into an 
image, then the recipient will need a key to decrypt the message. A technique for 
providing for secure exchanges of encrypted data such as encryption keys that is known in 
1 5 the art is the use of a trusted third party. The trusted third party essentially acts as a 

secure broker in exchanging data between two other parties. It is within the scope of this 
invention to exchange information, such as encryption keys, by use of a trusted third 
party. 

Although the invention has been described in detail with reference to 
20 certain illustrated embodiments, variations and modifications exist within the scope and 
spirit of the present invention as described and defined in the following claims. 
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CLAIMS: 



sequence; 



1. A method of data hiding comprising the steps of: 

providing a message; 

providing an encrypting sequence; 

generating an encrypted message based on the message and the encrypting 



providing a carrier signal that conveys information unrelated to the 
encrypted message; and 

embedding the encrypted message into the carrier signal by performing an 
exclus.ve.OR of the encrypted message with a first portion of the carrier signal. 

2. The method of claim 1, wherein the carrier signal is a digital image. 

3. The method of claim 2, wherein the first portion of the carrier 
signal is an LSB plane of the digital image. 

4. The method of claim 1, further comprising the step of embedding 
the first portion of the carrier signal into a second portion of the carrier signal. 

5. The method of claim 4, wherein the carrier signal is a digital image 
havmg a plurality of color planes, the first portion of the carrier signal is an LSB plane of 
a first color plane, and the second portion of the carrier signal is an LSB plane of a second 
color plane. 

6. The method of claim 1, further comprising the steps of transmitting 
the composite signal to a receiving location, extracting the encrypted message from the 
composite signal at the receiving location, and decrypting the enaypted message at the 
receiving location. 

7. The method of claim 1, wherein the step of generating an 
encrypted message includes generating the encrypting sequence based on an encrypting 
key and performing an exclusive-OR of the message with the encrypting sequence to 
generate the encrypted message. 

8. The method of claim 7, further comprising the steps of transmitting 
the composite signal to a receiving location, extracting the encrypted message from the 
composite signal at the receiving location, and decrypting the encrypted message at the 
receiving location based on the encrypting key. 
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9. The method of claim i, wherein the step of providing a message 
comprised of providing a pre-encrypted message. 

1 0. The method of claim 9, further comprising the step of exchanging 
an encryption key for decrypting the pre-encrypted message using a trusted third party. 

5 11. A method of data hiding comprising the steps of: 

providing an encryption key; 

generating an encryption sequence based on the encryption key; 
providing a carrier signal that conveys information unrelated to the 
encryption key; and 

10 embedding the encryption sequence into the carrier signal. 

12. The method of claim 11, wherein the encryption key is a public key 
for an asymmetric encryption algorithm. 

13. The method of claim 1 1, wherein the carrier signal is selected from 
the group comprising digital images, digital audio, and digital video. 

15 14. The method of claim 1 1, wherein the encryption sequence is 

substantially random. 

15. The method of claim 1 4, wherein the encryption sequence is 

generated based on a linear feedback shift register. 

16. The method of claim 1 1 . wherein the step of embedding the 
20 encryption sequence includes performing an exciusive-OR of the encryption sequence 

with a portion of the carrier signal. 

17. The method of claim 11, further comprising the steps of 
transmitting the carrier signal including the embedded encryption sequence to a receiving 
location, extracting the encryption sequence from the composite signal at the receiving 

25 location, and deciphering the encryption sequence to obtain the encryption key at the 
receiving location. 

18. The method of claim 17, further comprising the steps of encrypting 
a message using the encryption key to generate an encrypted message at the receiving 
location and transmitting the encrypted message from the receiving location. 

30 19. A method of data hiding comprising the steps of: 

embedding an encrypted message into a first portion of a carrier signal; 

and 
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embedding message extraction information into a second portion of the 
carrier signal for extracting the encrypted message from the first portion of the carrier 
signal. 

20. The method of claim 1 9, wherein the step of embedding an 
encrypted message includes performing an exclusive-OR of the encrypted message with 
the first portion of the carrier signal. 

21. The method of claim 20, wherein the step of embedding message 
- -extraction-information includes performing ^~ ~ 

carrier signal with the second portion of the carrier signal. 

22. The method of claim 21, wherein the first and second portions of 
the carrier signal are first and second bit-planes of a digital image. 

23. A method of exchanging data hidden in a carrier signal comprising 

the steps of: 

generating a signal including hidden data by transforming a carrier signal 
from a first domain into a second domain, embedding a message into the carrier signal in 
the second domain, and transforming the carrier signal back from the second domain to 
the first domain; 

sending the signal including hidden data to a receiving location; and 
obtaining the message from the signal including hidden data at the 

receiving location by transforming the signal including hidden data into the second domain 

and extracting the message. 

24. The method of claim 23, further comprising the steps of encrypting 
the message prior to generating the signal including hidden data and decrypting the 
message after obtaining the message from the signal including hidden data. 

25. A data hiding apparatus comprising: 

an encryption sequence generator configured to generate an encryption 
sequence based on an encrypting key; 

an encrypted message generator configured to generate an encrypted ' 
message based on the encryption sequence and an input message; and 

an encrypted message embedder configured to embed the encrypted 
message into a carrier signal. 
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26. The method of claim 25, wherein the encryption sequence 
generator is configured to generate a substantially random encryption sequence. 

27. The method of claim 25, wherein the encrypted message generator 
is configured to perform an exclusive-OR of the input message with the encrypting 

5 sequence to generate the encrypted message. 

28. The method of claim 25, wherein the encrypted message embedder 
is configured to perform an exclusive-OR of the encrypted message with a portion of the 
carrier signal. 

29. The method of claim 28, wherein the encrypted message embedder 
10 is configured to replace a first LSB plane of the digital image with information based on a 

second LSB plane of the digital image and to perform an exclusive-OR of the encrypted 
message with the second LSB plane of the digital image. 
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